Privacy Shield: Two Key Players Discuss “What Now and Next?”
In the plenary session of WireWheel’s SPOKES Privacy Conference two central figures in crafting transatlantic data transfer protection schemata ― Bruno Gencarelli and Justin Antonipillai ― discussed where things are post-Schrems II, and where they may be headed.
Bruno is the European Commission’s Head of International Data Transfers and led the General Data Protection Regulation (“GDPR”) team. Justin, WireWheel CEO and former Obama administration Acting Under Secretary, U.S. Department of Commerce worked with Bruno on the original data transfer Safe Harbor agreement.
Bruno graciously took time out to speak at the virtual conference during very intensive post-Brexit discussions in London. As reported by Politico shortly after the conference: “With time running out for the EU to grant the U.K.’s data protection regime a stamp of approval before the Brexit transition period ends, officials are considering options to keep personal data flowing across the Channel…” (Manancourt, 2020).
A Brief History
Article 45 of the GDPR states: “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation” (emphasis added).
The assessment of protection “adequacy” considers among other things, “access of public authorities to personal data.” This has been a particular point of controversy with regard to EU-U.S. data transfers. And meeting the determination of adequacy requirements as set forth by the GDPR has proven problematic.
Attempt One: Safe Harbor
The first response to these requirements resulted in a Safe Harbor agreement between the U.S. and EU and U.S. and Switzerland. However, in October 2015, the European Court of Justice (“ECJ”) ruled Safe Harbor invalid as a result of what is retrospectively referred to as “Schrems I.” It is so named for plaintiff Maximillian Schrems, a privacy advocate who brought a complaint the Irish Data Protection Commissioner (“IDP”), spurred by the infamous Edward Snowden “disclosures.”
“The main reason for this ruling appeared to be the fact that the CJEU [Court of Justice of the European Union] was of the opinion that in adopting Article 3 of the Safe Harbour agreement, the EC [European Commission] exceeded its powers by making a shortcut on the adequacy procedure that should be followed…” (Baker McKenzie, 2019).
Attempt Two: Privacy Shield
Post-Safe Harbor the EC issued guidance on meeting adequacy requirements offering three alternative means of safeguarding data:
1. Standard Contractual Clauses (“SCCs”)
Four model clauses: two concerning transfers between data “controllers,” and two between a “controller and processor operating under instructions.”
2. Intra-Group Transfers
Adoption of Binding Corporate Rules (“BCRs”) governing the transfer of personal data between a multinational’s worldwide entities. And,
Absent an adequacy decision under the GDPR, and “irrespective of the use of SCCs and/or BCRs,” data can still be transferred as long as it meets “one of the alternative derogations set out in Article 26(1) of Directive 95/46/EC.” Alternatives include, for example, consent of data subject, or the need to transfer data for performance of a contract between the controller and the data subject.
With this as guidance, the EU-U.S. and Swiss-U.S. Privacy Shield ― “designed by the U.S. Department of Commerce, EC, and Swiss Administration” ― came into force In July 2016 and January 2017, respectively.
Max Schrems disagreed.
“In Schrems II, the IDP argued that the SCCs did not constitute an adequate level of protection of personal data, as they lacked safeguards against U.S. government surveillance and therefore violate Articles 7, 8, and 47 of the EU Charter of Fundamental Rights” (Jones Day, 2020).
While the CJEU upheld the validity of SCCs generally, it found that the EU-U.S. Privacy Shield did not “include satisfactory limitations in order to ensure the protection of EU personal data from access and use by U.S. public authorities on the basis of U.S. domestic law.” (JD, 2020).
On 12 July 2020, the CJEU invalidated the EU-U.S. Privacy Shield Framework reasoning that it did not meet necessary adequacy requirements. On 8 September 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland similarly concluded that the Swiss-U.S. Privacy Shield Framework did not provide adequate levels of protection and going forward, while organizations are not relieved of their obligations under the framework, they should seek guidance from the FDPIC or legal counsel.
It is as insiders with a shared history and deep insight that Bruno and Justin met to discuss the state of the state of transatlantic data transfers.
Where Are We Now
“We are working on adequacy with respect to the UK…We want to make sure that when and if there is an adequacy decision, it will be a decision that will deliver the legal certainty that stakeholders are legitimately expecting. And to ensure, as much as possible, the continuity and stability of transfers and that includes…compliance with the requirements that the Court of Justice…has provided for in the Schrems II judgment” (emphasis added). ―Gencarelli
A guiding principle within GDPR’s Article 45, as noted in Recital 103 to paragraph one, is to provide “legal certainty and uniformity” so that transfers of personal data may take place without the need to obtain any further authorization. This is reinforced by the Schrems II decision:
“What we learn with Schrems II, is what is the standard that what we have apply specifically, and a number of issues, including around redress avenues, that have to be available,” says Bruno…[This applies} with respect to the U.S….the UK, or any other country that would be interested in entering into this type of talks with the EU. And that’s precisely what we’re doing right now: making sure that we can, in any assessment of the UK system, meet those requirements that the Court of Justice [ECJ] has specified.”
In the Meantime
“Today Privacy Shield is not an adequate means of transfer between the Europe and the United States” notes Antonipillai, [and…companies] are relying largely on SCCs…to do the right thing. So for this window ― between now and when there is a new administration ― is there a possibility for engagement with the Commission on a new version of the privacy shield…?”
“There has been engagement with the U.S. since day one…[and] there has been willingness on both sides to work on the new transfer mechanism…We just need to make sure that the transfer mechanism is solid and can deliver that legal certainty. So there has been useful work in terms of first coming to a certain understanding of what are the requirements and then identifying what would be the solution. That work is ongoing right now and we continue in the coming days.” ―Gencarelli
Is there political will? asks Justin. “Even in the face of some of the criticism that came last time?”
“That that desire has already been expressed [in] a joint statement by the two leaders on each side,” says Bruno. “Commissioner [Didier Reynders], who is the European Commissioner for Justice and U.S. Commerce Secretary Ross indicating not only willingness, [but] readiness.”
There are things we can do in the meantime [while we negotiate new agreements] that concern international transfers. More generally… we have and published a new set of a draft standard contractual clauses which don’t only try to put some flesh on the Schrems II criteria by providing companies what we believe are a very concrete checklist and toolbox of things [to] consider when trying to comply with Schrems II.
“We believe in a much more User-friendly way: first to have one single entry point where companies have a single set of standards, and then according to their business model, the type of transfer, [and] where they’re transferring to, [they] can use number of different models. ―Gencarelli
Live: Breaking News!
“Today, Bruno informs conference attendees, “the European Commission has published a communication…on how we see the transatlantic relationship and engagement with the new [Biden] administration. It has been put online a few hours ago. It’s a document called The New Transatlantic Agenda for Global Change.…Among the issues addressed, “as an action point almost, is the intensification of cooperation to facilitate free data flow with trust: data flows that are based on common and strong safeguards.”
“That’s a further indication, I think, of our willingness and readiness,” insists Bruno.
This new agenda proposed by the EC and EU High Representative is rather sweeping in scope. It addresses Covid-19, climate change, a “green” agenda, “strengthening democracy” around the globe, and “working together on technology, trade and standards.” The proposal on technology, trade and standards alone is sweeping in its scope and proposes “working closely with the US to:
- Solve bilateral trade irritants,
- Lead reform of the WTO,
- Establish a new EU-US Trade and Technology Council,
- Create a specific dialogue with the US on the responsibility of online platforms and Big Tech,
- Work together on fair taxation and market distortions,
- Develop a common approach to protecting critical technologies,
- Artificial Intelligence, data flows, and finally,
- Cooperation on regulation and standards.”
Importantly, Bruno notes that in the coming weeks his International Data Transfers team is organizing a number of (virtual) workshop with stakeholders to get line-by-line feedback on the draft SCCs.
“I can tell you,” says Bruno, “input and feedback, if specific on consequences, including unintended consequences of some of the ideas that we have put forward, that the EDPB has put forward, matters. It is very important. When you’re talking about which safeguards to put in place, we have tried to build on certain best practices we have observed in the market. Maybe there are things we have missed. Maybe there are things we have misunderstood.”
“[We want to do this] as quickly as possible. That’s why we’re doing this before the end of the year: to be able to, as soon as possible in the new year, put in place these new SCCs.”
A New Privacy Shield?
Not everyone is optimistic that it will happen very quickly.
As reported by Reuters “’I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield-like solution will last for a while,’ European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski told Reuters. However, he notes that “’The proposed standard contractual clauses look very promising and they are already introducing many thoughts given by the data protection authorities,’” (Chee, 2020)
“[I understand “the many complexities, anxieties, concerns, questions around Schrems II. But if we step back…and look at the broader picture…[there] is a lot of convergence around the world right now on what are the main elements of a modern privacy legislation ― from Brazil to Japan ― and I don’t think there’s so many regulated areas where we see this….
“And that concerns the U.S. as well. We have seen what has happened a few weeks ago in California, we are seeing the debate at the federal level.” ―Gencarelli
“Paradoxically (or not), there is now more common ground than there was even a few years ago to work on these issues globally,” says Bruno. “When I was leading the team negotiating the GDPR and was coming to the U.S. six years ago, the question I got was why on earth are you doing this thing? The question [now has] moved from why to how.”